Billing method using ssl/tls

ABSTRACT

The invention relates to a billing method for requesting contents or data in a network. According to said billing method, the client or the person representing the client has a certificate for the billing method. Said certificate contains data that prove the client&#39;s identity and that facilitate establishment of a bill or statement. The Secure Socket Layer (SSL) protocol or a variant of the SSL protocol which allows display of a dialog box is used for the client-server connection, using an SSL client certificate that contains an extension indicating that the certificate is suitable for the purpose of billing, the server transmitting the price for the required content or the data during the handshake protocol. A confirmation message that is also contained in the SSL protocol and that contains a digital signature is sent from the client to the server, said confirmation message confirming the previously transmitted price.

[0001] The present invention relates to a billing method for requesting contents or data in a network, the client or the customer who uses the client having a certificate for the billing method, the certificate containing verified data which identifies the customer and permits preparation of a bill or billing.

[0002] The specification of a billing method for Internet contents constitutes a great challenge. There is a huge demand, in particular, also in telecommunications companies. There exists, for example, the approach in which the existing modem or ISDN connection to the Internet service provider (e.g., T-Online) is disconnected upon calling up a WWW page which is subject to charge, and a new connection is established via a 0190 call number. This approach does not comply with Internet standards and potentially involves a whole host of problems in practice.

[0003] The most frequently used billing method in the Internet is billing via credit card. Here, however, the cost and possibilities of abuse are very high.

[0004] Today, for securing, that is, for the secure transmission of data in the case of client/server connections, there is a generally accepted standard, the Secure Socket Layer (SSL) protocol, also referred to as Transport Layer Security (TLS). SSL is supported in all WWW browsers and WWW servers today. The slightly modified variant TLS was standardized by the IETF (IETF RFC 2246). SSL/TLS mandatorily supports the authentication of the server and, optionally, the authentication of the client.

[0005] The object of the present invention is to provide a secure billing method which uses protocols which are already available in WWW browsers.

[0006] This objective is achieved according to the present invention by a billing method having the features of Claim 1. Further advantageous embodiments of the method according to Claim 1 result from the features of the subclaims.

[0007] The present invention has the advantage over conventional methods that no client software needs to be installed at the customer site because all standard browsers support SSL/TLS. The customer only has to request a special certificate. In practice, however, it is also possible to provide a special SSL client software for the customer which shows him/her the actual price for an Internet page which has been called up. On the server side, only small changes have to be made. The security of the method is high since SSL has proven efficient in practice for many years already.

[0008] It is an advantage that the Secure Socket Layer (SSL) protocol or a variant of the SSL protocol which allows display of a dialog box is used for the client/server connection. Advantageously, an SSL client certificate is used in which, for example, an extension is set which indicates that the certificate is suitable for billing purposes. During the handshake protocol, the price for the requested content or the data is then transmitted from the server to the client, and an acknowledgment message, which is also integrated in the SSL protocol and contains a digital signature, is transmitted from the client to the server, the acknowledgment message acknowledging the previously transmitted price. In order to be able to prove the billing at a later time, it is advantageous for the acknowledgment messages and/or log files to be logged by the server and for the data contained therein to be used for billing.

[0009] Advantageously, the SSL connection is disconnected upon download of the paid content or of the paid data. In this context, the disconnection can be carried out automatically by the server. In this manner, it is guaranteed that an SSL connection is established again upon a new request of data or WWW contents which are subject to charge.

[0010] Alternatively, it is possible for a possibly existing SSL connection to be disconnected by the server or an interconnected Internet page prior to selecting an Internet page which is subject to charge and that thereupon, a new client authentication takes place for downloading the Internet page which is subject to charge.

[0011] As a rule, the price for the selected Internet page is indicated to the customer on the preceding page. In this context, however, he/she must rely on the operator of the web server to display the correct price. A fraudulent web server operator could display a different price than is contained in the corresponding protocol message. In this case, the client software of the user would sign the possibly higher price without knowledge of the user. To give the customer better billing transparency here, and to rule out possibilities of fraud, it is advantageous to carry out an interrogation at the client site, in particular, using a dialog box, with the options “next” and “abort” prior to signing the acknowledgment message, in which the displayed cost for the selected Internet page or for the selected data which are subject to charge can be manually acknowledged, the content or the data which are subject to charge being transmitted from the server to the client upon acknowledgment of the cost or else, the interrogation process being terminated. This allows the user to stop a mistakenly selected order which is subject to charge without incurring any cost to him/her.

[0012] In this context, the corresponding interrogation can advantageously be implemented via an error message of the client (for example, Certificate Name Check) or via a Java applet or an Active-X application which, in particular, are signed themselves.

[0013] All cost information can also be transmitted to the client via signed XML (eXtended Markup Language) pages. In this context, it is possible for the pages to be signed with a price indication and/or with a time indication. Also, a hash value of the content of the page which is subject to charge can additionally be included in the signature.

[0014] In the following, a possible embodiment of the billing method according to the present invention for the Internet will be described in detail. In this embodiment, the customer requests a special SSL client certificate. In this certificate, an extension is set which indicates that this certificate can be used for billing purposes. The certificate should contain verified data, for example, customer number, etc., which permits preparation of a bill. In this context, pages on a server which are subject to charge can only be viewed via the https protocol with client authentication. The authentication of the client for this URL is logged and stored in a log file. The price for the page which is subject to charge is contained in an SSL message which is transmitted from the server to the client during the handshake protocol (a kind of electronic billing voucher). The server receives an electronic signature of this billing voucher through a corresponding acknowledgment message which is also provided in the SSL protocol. In this manner, it is verifiably documented on the server side that the user has actually requested the page which is subject to charge. Prior to selecting a further page which is subject to charge, the SSL connection is disconnected (for example, by an interconnected http page or through the termination of the connection by the server). Because of this, a new client authentication is required which, in turn, can be logged. The billing data contained in the log file is prepared and forwarded for billing. The log file is kept until the bill is paid or until the customer's period of objection for the direct debiting service has expired. In the following, the billing method will be described in further details. As soon as an SSL connection is established, initially, the SSL handshake protocol is executed. An SSL connection is established, inter alia, when the client requests a web page via the https protocol, for example, in the case of a link of the type https://www.subject-to-charge.com.

[0015] In this context, the standardized SSL/TLS handshake protocol includes the following steps: Client Server 1. ClientHello message including the → proposed SSL options 2. ← ServerHello message including the proposed SSL options 3. ← Certificate message including server certificate 4. ← Via the CertificateRequest message, the client is prompted to authenticate itself 5. ← ServerHelloDone message 6. Certificate message including client → certificate 7. ClientKeyExchange message → including session key (encrypted with public key of the server) 8. CertificateVerify message → including signature of all preceding handshake messages 9. ChangeCipherSpec → 10. Finished → 11. ← ChangeCipherSpec 12. ← Finished

[0016] To integrate a billing method into this standard protocol, it is possible to use the ServerHello, Certificate, CertificateRequest, Certificate (of the client) and CertificateVerify messages.

[0017] In the ServerHello message, the price for the page can be embedded into the values random (a 32 byte long random value in which the time is included as well) and/or SessionID. If the price is embedded in place of a part of the time, then in fact no negative effects with regard to the security of the SSL/TLS protocol are to be expected since the time is also a publicly known value.

[0018] The Certificate message of the server can also be used for transmitting the price if the server gets itself a separate certificate for each possible price (for example, certificates for 1, 2, 5, 10, 50 pfennigs and for 1, 2, 5, 10 DM). Optionally, a pop-up in which this price would then be indicated could be provoked at this point with the aid of slightly incorrect certificates. However, since the behavior of the clients can greatly differ in this point, this method can surely be universally implemented only with difficulty (possibly, an IETF RFC on the behavior of clients in response to incorrect certificates would be required here).

[0019] With the aid of the CertificateRequest message, the server communicates to the client

[0020] a) that the SSL session to be established is subject to charge, and can communicate to it

[0021] b) the cost for the SSL session to be established.

[0022] The billing information (customer number, bank account information, and the like) is contained in the certificate of the client. Since these information items are transmitted with the certificate message. With the CertificateVerify message, the client confirms the purchase, he/she sort of signs the billing voucher.

[0023] Technically, this is accomplished as follows (it should be observed that the “new” SSL protocol should continue to be compatible with a standard SSL, that is, a client which has no billing functionality is intended to behave accordingly).

[0024] In this context, the CertificateRequest message is composed as follows: Prot: Vers: 0 Length Length Type: Length Length 22 3 I I 13 II II Length II CT CT 1 CT2 ... CT n CAs CA 1 No. of No. of L. Name of CA 1 CA 2 L. Name of CA 2 ... Ca n L. Name of CA n

[0025] The first five bytes describe the protocol (SSL handshake), the SSL version and the length of the entire message. The next four bytes describe the type of the handshake message (CertificateRequest) and its length. Following is a list of certificate types: First, the number of (permitted) certificate types, then the certificate types themselves (a number between 1 and 255). This is followed by a list of permitted certificate authorities (CAs), in this case, number of CAs, name length of CA 1, name of CA 1, and so on.

[0026] A certificate authority is described with its distinguished name (DN). A distinguished name can be described with the aid of the in specified description language ASN.1 as follows: Name :: = SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName :: = SET OF AttributeValueAssertion AttributeValueAssertion : := SEQUENCE { attributeType OBJECT IDENTIFIER attributeValue ANY }

[0027] Attribute types which are usually used are the following: countryName :: = SEQUENCE{ {2 5 4 6}, StringType (SIZE(2) )} organization :: = SEQUENCE{ {2 5 4 10}, StringType (SIZE(1...64) ) } organizationalUnitName :: = SEQUENCE{ {2 5 4 11}, StringType ( SIZE (1...64))} commonName :: = SEQUENCE{ {2 5 4 3}, StringType (SIZE (1...64) ) } localityName :: = SEQUENCE{ {2 5 4 7}, StringType(SIZE(1...64) ) } stateOrProvinceName :: = SEQUENCE{ {2 5 4 8}, StringType ( SIZE (1...64) ) }

[0028] These attributes therefore uniquely describe a certificate authority whose certificates are acknowledged by the server for authenticating the client. What is decisive for extending the SSL protocol to an Internet billing method is that a distinguished name can also be used to describe a price for an SSL session. To this end, the commonName attribute is set to “PRICE” and, in addition, the attribute types currency :: = SEQUENCE{ {2 x y z}, StringType (SIZE(3) ) } amount :: = SEQUENCE{ {2 x y z}, INTEGER } cent :: = SEQUENCE{ {2 x y z}, INTEGER { 0, ...,99 } }

[0029] are used.

[0030] Consequently, a corresponding CertificateRequest message which contains the price information is a list including the distinguished names of the CAs which issue billing certificates and, in addition, contains a distinguished name of the form commonName: “PRICE”, currency: “EUR”, amount:19, cent:95

[0031] This distinguished name does, of course, not refer to a certificate authority which exists in reality but is used in the list of permitted certificate authorities only to document the price for the SSL session.

[0032] A client which possesses an appropriate billing certificate of one of the permitted certificate authorities transmits this [appropriate billing certificate] to the server in the certificate message. In the extension field, the certificate contains one or more extension values including billing information such as

[0033] account number, bank identifier code

[0034] alternatively: customer number

[0035] alternatively: credit card number

[0036] maximum amount up to which the certificate is valid

[0037] With the Certificate Verify message, the client finally signs the virtual sales slip: this message contains a hash value which is signed by the client and composed as follows: MD5 (master secret, 48times 5C₁₆, MD5 (HandshakeMessages, MasterSecret, 48times 36₁₆)

[0038] This hash value (MD5) is, in particular, calculated with a hash value (inner MD5) which is generated, inter alia, using all handshake messages which have been exchanged up to this point of time. From there, it follows that the corresponding electronic signature of this hash value is to be treated as equivalent of a signature of the preceding handshake messages provided that the master secret is known during the checking of this signature. Since the preceding handshake messages contained, inter alia, the ServerHello, Certificate and CertificateRequest messages of the server with the price, it is documented by the signature in the Certificate Verify message that the client has taken notice of the demanded price.

[0039] For each established SSL session, the exchanged handshake messages, the MasterSecret and the hash value with the signature of the Certificate Verify message of the client are logged by the server. With this information the operator of the server can later prove that such an SSL connection was established during which the respective price was demanded.

[0040] A standard SSL client possessing a certificate issued by a billing CA would provide the respective certificate to the server since it (the standard SSL client) is able to gather from the list of permitted CAs which certificate is required to establish this connection. It (the standard SSL client) would ignore the distinguished name having the commonName “PRICE” but nevertheless also hash this DN in the Certificate Verify and, consequently, sign it as well.

[0041] A correspondingly modified SSL client would evaluate the DN having the commonName “PRICE” of the CertificateRequest message and display it to the user prior to continuing the handshake.

[0042] Of course, the above-described modifications of the known SSL protocol are only exemplary and other modifications can, of course, be made depending on the given circumstances. 

What is claimed is:
 1. A billing method for requesting contents or data in a network, the client or the customer who uses the client having a certificate for the billing method, the certificate containing verified data which identifies the customer and permits preparation of a bill or billing, wherein the Secure Socket Layer-(SSL-) protocol or a variant of the SSL protocol is used for the client/server connection, an SSL client certificate being used in which an extension is set which indicates that the certificate is suitable for billing purposes; and during the handshake protocol, the price for the requested content or the data is transmitted from the server to the client, and an acknowledgment message, which is also integrated in the SSL protocol and contains a digital signature, is transmitted from the client to the server, the acknowledgment message acknowledging the previously transmitted price.
 2. The billing method as recited in claim 1, wherein the acknowledgment messages and/or log files are logged by the server and the data contained therein are used for billing.
 3. The billing method as recited in one of the preceding claims, wherein the SSL connection is disconnected upon download of the paid content or of the paid data.
 4. The billing method as recited in claim 3, wherein the disconnection is carried out automatically by the server.
 5. The billing method as recited in one of the preceding claims, wherein a possibly existing SSL connection is disconnected by the server or an interconnected Internet page prior to selecting an Internet page which is subject to charge and thereupon, a new client authentication takes place for downloading the Internet page which is subject to charge.
 6. The billing method as recited in one of the preceding claims, wherein an interrogation is carried out at the client site, in particular, using a dialog box, prior to signing the acknowledgment message, in which the displayed cost for the selected Internet page or the selected data which are subject to charge can be manually acknowledged, the content or the data which are subject to charge being transmitted from the server to the client upon acknowledgment of the cost, or else the interrogation process being terminated.
 7. The billing method as recited in claim 6, wherein the interrogation is implemented via an error message of the client (for example, Certificate Name Check).
 8. The billing method as recited in claims 1 through 6, wherein the SSL protocol or a variant thereof is implemented via a Java applet or an Active-X application which, in particular, are signed themselves.
 9. The billing method as recited in one of the preceding claims, wherein cost information is transmitted to the client via signed XML (eXtended Markup Language) pages.
 10. The billing method as recited in claim 10, wherein the pages are signed with a price indication and/or with a time indication.
 11. The billing method as recited in claim 11, wherein a hash value of the content of the page which is subject to charge is also included in the signature. 